Code leaked on Github by the Shadow Brokers group this past weekend has unnerved security researchers, as some evidence emerges possibly linking the exploits to the National Security Agency (NSA).
Recent documents from NSA whistleblower Edward Snowden were published by The Intercept on Friday, strengthening evidence that the code leaked by the Shadow Brokers contains zero-day exploits used by the intelligence agency. The manual provides instructions to NSA operators involving the 16-character string “ace02468bdf13579.” The string of character appears throughout the code released by the Shadow Brokers group.
“I think that we can officially and definitively say that these exploits originated from the NSA,” wrote Core Security systems engineer Bobby Kuzma in an email to SCMagazine.com. He called the latest information “either a very elaborate disinformation plot or the real deal.”
While security professionals were initially skeptical of claims by the Shadow Brokers group's claims, many were already convinced by security advisories issued Wednesday by Cisco and Fortinet that confirmed exploits associated with the code. A day earlier, Kaspersky analysts reported a “strong connection” between the code and previous research by the firm into the “Equation group,” a group that has been tied to the NSA.
Researchers were hypothesizing on Twitter that the NSA had hacked the firewall companies by Thursday. “It sure is strange when your company doesn't just have to worry about attacks from foreign intelligence agencies, but from your own as well,” tweeted F-Secure chief research officer Mikko Hypponen.
The discussion involving these exploits has quickly progressed beyond attribution and has come to involve dramatic flourishes of plot and international intrigue. “The popular theory is that they were released by Russia as a warning shot against escalation in response to the DNC leaks,” Ross Schulman, senior counsel at Open Technology Institute and co-director of New America's Cybersecurity Initiative told SCMagazine.com. He said the theory ties together incidents of the past several weeks, but said it “sounds like something out of a Jack Ryan novel.”
One security professional told SCMagazine.com that the speed at which the discussion involving attribution of the exploits and the leaked code is “astonishing. The security industry “agreed that attribution is difficult, and then at one point, we forgot,” Senrio CEO Stephen Ridley told SCMagazine.com. He said the latest evidence is “definitely pretty strong attribution evidence,” but noted that the chronology is not “bullet-proof.”
Will Ackerly, CTO and co-founder of Virtru, echoed these concerns. The exploits are “very well crafted,” he said, speaking with SCMagazine.com. “But others are going further and saying that it is definitely the NSA.”
The exploits may prompt questions over the use of zero-days by intelligence agencies. The evidence has already prompted some discussion over the number of exploits employed by U.S. intelligence agencies. Although Jason Healey, a senior research scholar on the New York Cyber Task Force at Columbia's School for International and Public Affairs (SIPA), has argued the government has just dozens of zero-days in its arsenal, others are wary of his analysis in light of the advisories issued by Cisco and Fortinet.
“We have to assume these are a small subset of the tools that they have available,” Schulman said. He said the code only involves firewalls used by enterprise organizations, but contains at least a dozen exploits. “There is nothing in there about iOS, Android, or Windows. We have to assume it is more than a hundred.”
Industry professionals agree that the leaked exploits will create a lasting effect on technical aspects of securing data. The exploits are “part of growing evidence that it is not smart to rely on the security of a network to keep data safe,” Ackerly said. “As we see more of these types of exploits, there will likely be a shift from network security to data-centric security.” He expects to see an industry shift towards ensuring that data is locked at the point of inception and only unlocked at the point consumption.
Ridley agreed, noting that he expects the actionable takeaway of the leaked exploits will be technical. He told SCMagazine.com that security pros “need to start architecting networks to assume both devices and endpoints are compromised, and minimize the lateral movement to minimize damage.”Targeted attacks against security infrastructure to lower defenses are now a key target, according to SS8 president and COO Faizel Lakhani. “Software systems are inherently vulnerable due to increased use of third-party software and toolkits,” he wrote in an email to SCMagazine.com. “The idea of being able to prevent these 100% of the time is now accepted as impossible.”